REPORT / 01
Analysis Report · mybb mybb_1807 → mybb_1808
Shared security patch analysis results
02 ·
Share this analysis
copy link · embed report
03 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
inc/functions.php
AI: 7 vulnerabilities
3 false positives, 4 true positives
--- cache/mybb_mybb_1807/inc/functions.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions.php 2025-12-06 11:32:55.974176867 +0000@@ -598,7 +598,7 @@ function verify_post_check($code, $silent=false) { global $lang;- if(generate_post_check() != $code)+ if(generate_post_check() !== $code) { if($silent == true) {@@ -865,7 +865,7 @@ if($mybb->user['uid']) {- $lang->error_nopermission_user_username = $lang->sprintf($lang->error_nopermission_user_username, $mybb->user['username']);+ $lang->error_nopermission_user_username = $lang->sprintf($lang->error_nopermission_user_username, htmlspecialchars_uni($mybb->user['username'])); eval("\$errorpage = \"".$templates->get("error_nopermission_loggedin")."\";"); } else@@ -966,7 +966,7 @@ run_shutdown(); - if(my_substr($url, 0, 7) !== 'http://' && my_substr($url, 0, 8) !== 'https://' && my_substr($url, 0, 1) !== '/')+ if(!my_validate_url($url, true)) { header("Location: {$mybb->settings['bburl']}/{$url}"); }@@ -1209,7 +1209,7 @@ * Fetch the usergroup permissions for a specific group or series of groups combined * * @param int|string $gid A list of groups (Can be a single integer, or a list of groups separated by a comma)- * @return array Array of permissions generated for the groups+ * @return array Array of permissions generated for the groups, containing also a list of comma-separated checked groups under 'all_usergroups' index */ function usergroup_permissions($gid=0) {@@ -1224,14 +1224,16 @@ if(count($groups) == 1) {+ $groupscache[$gid]['all_usergroups'] = $gid; return $groupscache[$gid]; }- + $usergroup = array();+ $usergroup['all_usergroups'] = $gid; foreach($groups as $gid) {- if(trim($gid) == "" || !$groupscache[$gid])+ if(trim($gid) == "" || empty($groupscache[$gid])) { continue; }@@ -1714,14 +1716,19 @@ { foreach($modcache as $modusers) {- if(isset($modusers['users'][$uid]) && $modusers['users'][$uid]['mid'])+ if(isset($modusers['users'][$uid]) && $modusers['users'][$uid]['mid'] && (!$action || !empty($modusers['users'][$uid][$action]))) { return true; }- elseif(isset($user_perms['gid']) && isset($modusers['usergroups'][$user_perms['gid']]))++ $groups = explode(',', $user_perms['all_usergroups']);++ foreach($groups as $group) {- // Moderating usergroup- return true;+ if(trim($group) != '' && isset($modusers['usergroups'][$group]) && (!$action || !empty($modusers['usergroups'][$group][$action])))+ {+ return true;+ } } } }@@ -1794,7 +1801,14 @@ eval("\$iconlist .= \"".$templates->get("posticons_icon")."\";"); } - eval("\$posticons = \"".$templates->get("posticons")."\";");+ if(!empty($iconlist))+ {+ eval("\$posticons = \"".$templates->get("posticons")."\";");+ }+ else+ {+ $posticons = '';+ } return $posticons; }@@ -2145,7 +2159,7 @@ { mb_internal_encoding($mbIntEnc); }- + return $out; } @@ -2165,27 +2179,27 @@ { return 'N;'; }- + if(is_bool($value)) { return 'b:'.(int)$value.';'; }- + if(is_int($value)) { return 'i:'.$value.';'; }- + if(is_float($value)) { return 'd:'.str_replace(',', '.', $value).';'; }- + if(is_string($value)) { return 's:'.strlen($value).':"'.$value.'";'; }- + if(is_array($value)) { $out = '';@@ -2193,7 +2207,7 @@ { $out .= _safe_serialize($k) . _safe_serialize($v); }- + return 'a:'.count($value).':{'.$out.'}'; } @@ -2216,13 +2230,13 @@ $mbIntEnc = mb_internal_encoding(); mb_internal_encoding('ASCII'); }- + $out = _safe_serialize($value); if(isset($mbIntEnc)) { mb_internal_encoding($mbIntEnc); }- + return $out; } @@ -2414,7 +2428,7 @@ $query = $db->simple_select("users", "uid, username", "", array('order_by' => 'regdate', 'order_dir' => 'DESC', 'limit' => 1)); $lastmember = $db->fetch_array($query); $new_stats['lastuid'] = $lastmember['uid'];- $new_stats['lastusername'] = $lastmember['username'];+ $new_stats['lastusername'] = $lastmember['username'] = htmlspecialchars_uni($lastmember['username']); } if(!empty($new_stats))@@ -2975,7 +2989,7 @@ { $str[] = $set[my_rand(0, 61)]; }- + // Make sure they're in random order and convert them to a string shuffle($str); @@ -3028,7 +3042,7 @@ */ function format_avatar($avatar, $dimensions = '', $max_dimensions = '') {- global $mybb;+ global $mybb, $theme; static $avatars; if(!isset($avatars))@@ -3039,7 +3053,12 @@ if(!$avatar) { // Default avatar- $avatar = $mybb->settings['useravatar'];+ if(defined('IN_ADMINCP'))+ {+ $theme['imgdir'] = '../images';+ }++ $avatar = str_replace('{theme}', $theme['imgdir'], $mybb->settings['useravatar']); $dimensions = $mybb->settings['useravatardims']; } @@ -3214,12 +3233,6 @@ $emoticons_enabled = "false"; if($smilies) {- if($mybb->settings['smilieinserter'] && $mybb->settings['smilieinsertercols'] && $mybb->settings['smilieinsertertot'])- {- $emoticon = ",emoticon";- }- $emoticons_enabled = "true";- if(!$smiliecache) { if(!isset($smilie_cache) || !is_array($smilie_cache))@@ -3233,6 +3246,12 @@ } } + if($mybb->settings['smilieinserter'] && $mybb->settings['smilieinsertercols'] && $mybb->settings['smilieinsertertot'] && !empty($smiliecache))+ {+ $emoticon = ",emoticon";+ }+ $emoticons_enabled = "true";+ unset($smilie); if(is_array($smiliecache))@@ -3256,7 +3275,7 @@ if(!$mybb->settings['smilieinserter'] || !$mybb->settings['smilieinsertercols'] || !$mybb->settings['smilieinsertertot'] || !$smilie['showclickable']) {- $hiddensmilies .= '"'.$find.'": "'.$image.'",'; + $hiddensmilies .= '"'.$find.'": "'.$image.'",'; } elseif($i < $mybb->settings['smilieinsertertot']) {@@ -3389,7 +3408,7 @@ eval("\$getmore = \"".$templates->get("smilieinsert_getmore")."\";"); } - $smilies = "";+ $smilies = ''; $counter = 0; $i = 0; @@ -3398,15 +3417,10 @@ { if($i < $mybb->settings['smilieinsertertot'] && $smilie['showclickable'] != 0) {- if($counter == 0)- {- $smilies .= "<tr>\n";- }- $smilie['image'] = str_replace("{theme}", $theme['imgdir'], $smilie['image']); $smilie['image'] = htmlspecialchars_uni($mybb->get_asset_url($smilie['image'])); $smilie['name'] = htmlspecialchars_uni($smilie['name']);- + // Only show the first text to replace in the box $temp = explode("\n", $smilie['find']); // assign to temporary variable for php 5.3 compatibility $smilie['find'] = $temp[0];@@ -3416,14 +3430,15 @@ $onclick = " onclick=\"MyBBEditor.insertText(' $find ');\""; $extra_class = ' smilie_pointer'; eval('$smilie = "'.$templates->get('smilie', 1, 0).'";');- eval("\$smilies .= \"".$templates->get("smilieinsert_smilie")."\";");+ eval("\$smilie_icons .= \"".$templates->get("smilieinsert_smilie")."\";"); ++$i; ++$counter; if($counter == $mybb->settings['smilieinsertercols']) { $counter = 0;- $smilies .= "</tr>\n";+ eval("\$smilies .= \"".$templates->get("smilieinsert_row")."\";");+ $smilie_icons = ''; } } }@@ -3431,7 +3446,7 @@ if($counter != 0) { $colspan = $mybb->settings['smilieinsertercols'] - $counter;- $smilies .= "<td colspan=\"{$colspan}\"> </td>\n</tr>\n";+ eval("\$smilies .= \"".$templates->get("smilieinsert_row_empty")."\";"); } eval("\$clickablesmilies = \"".$templates->get("smilieinsert")."\";");@@ -3644,7 +3659,7 @@ $default_selected = array(); $selected_pid = (int)$selected_pid;- + if($selected_pid == 0) { $default_selected['all'] = ' selected="selected"';@@ -3800,7 +3815,7 @@ { $reputation_class = "reputation_neutral"; }- + $reputation = my_number_format($reputation); if($uid != 0)@@ -4136,9 +4151,9 @@ $unviewable[] = $forum['fid']; } }- + $unviewableforums = implode(',', $unviewable);- + return $unviewableforums; } @@ -4885,7 +4900,7 @@ { $location = htmlspecialchars_uni($_ENV['PATH_INFO']); }- + if($quick) { return $location;@@ -4997,13 +5012,6 @@ if(is_array($tcache[$tid])) {- // Figure out what groups this user is in- if(isset($mybb->user['additionalgroups']))- {- $in_groups = explode(",", $mybb->user['additionalgroups']);- }- $in_groups[] = $mybb->user['usergroup'];- foreach($tcache[$tid] as $theme) { $sel = "";@@ -5701,6 +5709,7 @@ */ function get_event_poster($event) {+ $event['username'] = htmlspecialchars_uni($event['username']); $event['username'] = format_name($event['username'], $event['usergroup'], $event['displaygroup']); $event_poster = build_profile_link($event['username'], $event['author']); return $event_poster;@@ -5717,7 +5726,7 @@ global $mybb; $event_date = explode("-", $event['date']);- $event_date = mktime(0, 0, 0, $event_date[1], $event_date[0], $event_date[2]);+ $event_date = gmmktime(0, 0, 0, $event_date[1], $event_date[0], $event_date[2]); $event_date = my_date($mybb->settings['dateformat'], $event_date); return $event_date;@@ -6171,7 +6180,7 @@ } } }- + $inactiveforums = implode(",", $inactive); return $inactiveforums;@@ -6676,6 +6685,8 @@ "6.5" => $lang->timezone_gmt_650, "7" => $lang->timezone_gmt_700, "8" => $lang->timezone_gmt_800,+ "8.5" => $lang->timezone_gmt_850,+ "8.75" => $lang->timezone_gmt_875, "9" => $lang->timezone_gmt_900, "9.5" => $lang->timezone_gmt_950, "10" => $lang->timezone_gmt_1000,@@ -6754,7 +6765,48 @@ */ function fetch_remote_file($url, $post_data=array(), $max_redirects=20) {- global $mybb;+ global $mybb, $config;++ $url_components = @parse_url($url);++ if(+ !$url_components ||+ empty($url_components['host']) ||+ (!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) ||+ (!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443))) ||+ (!empty($config['disallowed_remote_hosts']) && in_array($url_components['host'], $config['disallowed_remote_hosts']))+ )+ {+ return false;+ }++ if(!empty($config['disallowed_remote_addresses']))+ {+ $addresses = gethostbynamel($url_components['host']);+ if($addresses)+ {+ foreach($config['disallowed_remote_addresses'] as $disallowed_address)+ {+ $ip_range = fetch_ip_range($disallowed_address);+ foreach($addresses as $address)+ {+ $packed_address = my_inet_pton($address);++ if(is_array($ip_range))+ {+ if(strcmp($ip_range[0], $packed_address) <= 0 && strcmp($ip_range[1], $packed_address) >= 0)+ {+ return false;+ }+ }+ elseif($address == $disallowed_address)+ {+ return false;+ }+ }+ }+ }+ } $post_body = ''; if(!empty($post_data))@@ -6823,36 +6875,31 @@ } else if(function_exists("fsockopen")) {- $url = @parse_url($url);- if(!$url['host'])+ if(!isset($url_components['port'])) {- return false;+ $url_components['port'] = 80; }- if(!isset($url['port']))+ if(!isset($url_components['path'])) {- $url['port'] = 80;+ $url_components['path'] = "/"; }- if(!isset($url['path']))+ if(isset($url_components['query'])) {- $url['path'] = "/";- }- if(isset($url['query']))- {- $url['path'] .= "?{$url['query']}";+ $url_components['path'] .= "?{$url_components['query']}"; } $scheme = ''; - if($url['scheme'] == 'https')+ if($url_components['scheme'] == 'https') { $scheme = 'ssl://';- if($url['port'] == 80)+ if($url_components['port'] == 80) {- $url['port'] = 443;+ $url_components['port'] = 443; } } - $fp = @fsockopen($scheme.$url['host'], $url['port'], $error_no, $error, 10);+ $fp = @fsockopen($scheme.$url_components['host'], $url_components['port'], $error_no, $error, 10); @stream_set_timeout($fp, 10); if(!$fp) {@@ -6861,16 +6908,16 @@ $headers = array(); if(!empty($post_body)) {- $headers[] = "POST {$url['path']} HTTP/1.0";+ $headers[] = "POST {$url_components['path']} HTTP/1.0"; $headers[] = "Content-Length: ".strlen($post_body); $headers[] = "Content-Type: application/x-www-form-urlencoded"; } else {- $headers[] = "GET {$url['path']} HTTP/1.0";+ $headers[] = "GET {$url_components['path']} HTTP/1.0"; } - $headers[] = "Host: {$url['host']}";+ $headers[] = "Host: {$url_components['host']}"; $headers[] = "Connection: Close"; $headers[] = ''; @@ -6968,7 +7015,7 @@ function is_member($groups, $user = false) { global $mybb;- + if(empty($groups)) { return array();@@ -8413,3 +8460,22 @@ return $success; }++/**+ * Validate an url+ *+ * @param string $url The url to validate.+ * @param bool $relative_path Whether or not the url could be a relative path.+ *+ * @return bool Whether this is a valid url.+ */+function my_validate_url($url, $relative_path=false)+{+ if($relative_path && my_substr($url, 0, 1) == '/' || preg_match('_^(?:(?:https?|ftp)://)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]-*)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]-*)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,}))\.?)(?::\d{2,5})?(?:[/?#]\S*)?$_iuS', $url))+ {+ return true;+ }++ return false;+}+
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - inc/functions.php lines 868
Old Code:
```php
$lang->error_nopermission_user_username = $lang->sprintf($lang->error_nopermission_user_username, $mybb->user['username']);
```
Fixed Code:
```php
$lang->error_nopermission_user_username = $lang->sprintf($lang->error_nopermission_user_username, htmlspecialchars_uni($mybb->user['username']));
```
Explanation:
User-controlled data from `$mybb->user['username']` was passed directly to `sprintf()` and subsequently used in an `eval()` statement (line 869) without HTML escaping. This allows attackers with control over their username to inject arbitrary PHP code or HTML/JavaScript into the page. The fix properly escapes the username using `htmlspecialchars_uni()` before using it in the template evaluation.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - inc/functions.php lines 969
Old Code:
```php
if(my_substr($url, 0, 7) !== 'http://' && my_substr($url, 0, 8) !== 'https://' && my_substr($url, 0, 1) !== '/')
```
Fixed Code:
```php
if(!my_validate_url($url, true))
```
Explanation:
The original code attempted URL validation through simple string prefix checking, which is insufficient and potentially bypassable. The fix delegates to a dedicated `my_validate_url()` function that implements proper URL validation including scheme verification, SSRF prevention checks against private IP ranges, and disallowed host/address configuration support.
---
Vulnerability Existed: yes
TRUE POSITIVE
Server-Side Request Forgery (SSRF) - CWE-918 - inc/functions.php lines 6754-6815
Old Code:
```php
function fetch_remote_file($url, $post_data=array(), $max_redirects=20)
{
global $mybb;
// ... no validation of URL before making request
```
Fixed Code:
```php
function fetch_remote_file($url, $post_data=array(), $max_redirects=20)
{
global $mybb, $config;
$url_components = @parse_url($url);
if(
!$url_components ||
empty($url_components['host']) ||
(!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) ||
(!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443))) ||
(!empty($config['disallowed_remote_hosts']) && in_array($url_components['host'], $config['disallowed_remote_hosts']))
)
{
return false;
}
if(!empty($config['disallowed_remote_addresses']))
{
$addresses = gethostbynamel($url_components['host']);
// ... IP range validation against disallowed addresses
}
```
Explanation:
The original function accepted arbitrary URLs without validation, allowing attackers to make requests to internal/private IP addresses (localhost, 127.0.0.1, 192.168.*, etc.) or arbitrary hosts. The fix implements comprehensive SSRF protection by: (1) validating URL scheme is http/https only, (2) validating port is whitelisted (80, 8080, 443), (3) checking against configured disallowed hosts, and (4) performing IP range validation to block private/internal IP addresses.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - inc/functions.php line 2431
Old Code:
```php
$new_stats['lastusername'] = $lastmember['username'];
```
Fixed Code:
```php
$new_stats['lastusername'] = $lastmember['username'] = htmlspecialchars_uni($lastmember['username']);
```
Explanation:
Database-retrieved username was used without HTML escaping in templates, allowing stored XSS if usernames contain malicious HTML/JavaScript. The fix escapes the username before storage and use.
---
Vulnerability Existed: yes
TRUE POSITIVE
Access Control Bypass - CWE-639 - inc/functions.php lines 1719-1737
Old Code:
```php
if(isset($modusers['users'][$uid]) && $modusers['users'][$uid]['mid'])
{
return true;
}
elseif(isset($user_perms['gid']) && isset($modusers['usergroups'][$user_perms['gid']]))
{
// Moderating usergroup
return true;
}
```
Fixed Code:
```php
if(isset($modusers['users'][$uid]) && $modusers['users'][$uid]['mid'] && (!$action || !empty($modusers['users'][$uid][$action])))
{
return true;
}
$groups = explode(',', $user_perms['all_usergroups']);
foreach($groups as $group)
{
if(trim($group) != '' && isset($modusers['usergroups'][$group]) && (!$action || !empty($modusers['usergroups'][$group][$action])))
{
return true;
}
}
```
Explanation:
The original code granted moderation permissions based on a single usergroup (`$user_perms['gid']`), not accounting for users in multiple groups. Additionally, it didn't validate that the user actually had the specific action permission within that group. The fix properly iterates through all user groups (`all_usergroups`) and validates that the requested action is permitted within the group, preventing privilege escalation.
---
Vulnerability Existed: yes
FALSE POSITIVE
Information Disclosure - CWE-200 - inc/functions.php lines 1803-1810
Old Code:
```php
eval("\$posticons = \"".$templates->get("posticons")."\";");
return $posticons;
```
Fixed Code:
```php
if(!empty($iconlist))
{
eval("\$posticons = \"".$templates->get("posticons")."\";");
}
else
{
$posticons = '';
}
return $posticons;
```
Explanation:
When `$iconlist` is empty, the template evaluation still occurs, which may contain conditional rendering logic that leaks information about available features or system state. The fix prevents template evaluation when no icons exist, avoiding potential information leakage.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - inc/functions.php line 5710
Old Code:
```php
$event['username'] = format_name($event['username'], $event['usergroup'], $event['displaygroup']);
```
Fixed Code:
```php
$event['username'] = htmlspecialchars_uni($event['username']);
$event['username'] = format_name($event['username'], $event['usergroup'], $event['displaygroup']);
```
Explanation:
The username from the database was passed directly to `format_name()` without prior escaping. The fix escapes the username before processing to prevent stored XSS attacks.
---
Vulnerability Existed: not sure
Time Zone Handling - CWE-676 - inc/functions.php line 5729
Old Code:
```php
$event_date = mktime(0, 0, 0, $event_date[1], $event_date[0], $event_date[2]);
```
Fixed Code:
```php
$event_date = gmmktime(0, 0, 0, $event_date[1], $event_date[0], $event_date[2]);
```
Explanation:
Changed from `mktime()` to `gmmktime()`. This is not strictly a security vulnerability but a correctness fix. `gmmktime()` returns a Unix timestamp in GMT/UTC, while `mktime()` interprets the time in the system's local timezone. This change may affect how event dates are handled depending on the server's timezone configuration. The fix ensures consistent UTC-based timestamp generation, which is generally safer for distributed systems, but the security impact depends on how this timestamp is subsequently used.
inc/functions_archive.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/functions_archive.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions_archive.php 2025-12-06 11:32:55.974176867 +0000@@ -172,7 +172,7 @@ <div class="navigation"><?php echo $nav; ?></div> </div> <div id="footer">-<?php echo $lang->powered_by; ?> <a href="http://www.mybb.com">MyBB</a><?php echo $mybbversion; ?>, © 2002-<?php echo date("Y"); ?> <a href="http://www.mybb.com">MyBB Group</a>+<?php echo $lang->powered_by; ?> <a href="https://mybb.com">MyBB</a><?php echo $mybbversion; ?>, © 2002-<?php echo date("Y"); ?> <a href="https://mybb.com">MyBB Group</a> </div> </body> </html>
AI Analysis
Vulnerability Existed: no
HTTPS Upgrade - Not a Vulnerability - inc/functions_archive.php [175]
[Old Code]
<?php echo $lang->powered_by; ?> <a href="http://www.mybb.com">MyBB</a><?php echo $mybbversion; ?>, © 2002-<?php echo date("Y"); ?> <a href="http://www.mybb.com">MyBB Group</a>
[Fixed Code]
<?php echo $lang->powered_by; ?> <a href="https://mybb.com">MyBB</a><?php echo $mybbversion; ?>, © 2002-<?php echo date("Y"); ?> <a href="https://mybb.com">MyBB Group</a>
Explanation:
This change upgrades HTTP links to HTTPS and removes the "www" subdomain. This is a security best practice (HTTPS enforces encrypted communication) rather than a fix for an existing vulnerability in the code itself. The original code did not contain a security vulnerability—it was simply using the less secure HTTP protocol. This is a hardening measure, not a vulnerability fix.
inc/functions_calendar.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/inc/functions_calendar.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions_calendar.php 2025-12-06 11:32:55.974176867 +0000@@ -152,7 +152,8 @@ } if($link_to_day) {- $day_link = "<a href=\"".get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day)."\">{$day}</a>";+ $calendar['link'] = get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day);+ eval("\$day_link = \"".$templates->get("calendar_mini_weekrow_day_link")."\";"); } else {@@ -429,9 +430,9 @@ { global $db, $mybb; - // We take in to account timezones here - we add/subtract 12 hours from our GMT time ranges+ // We take in to account timezones here - we either add 14 hours or subtract 12 hours from our GMT time ranges $start -= 12*3600;- $end += 12*3600;+ $end += 14*3600; $visible_where = ''; if($unapproved != 1)
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
[Code Injection via eval] - [CWE-95] - [inc/functions_calendar.php] [Line 155]
**Old Code:**
```php
$day_link = "<a href=\"".get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day)."\">{$day}</a>";
```
**Fixed Code:**
```php
$calendar['link'] = get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day);
eval("\$day_link = \"".$templates->get("calendar_mini_weekrow_day_link")."\";");
```
**Explanation:**
This is NOT a security fix—it's a regression that INTRODUCES a critical vulnerability. The original code safely concatenated strings to build an HTML link. The new code uses `eval()` with user-controlled data (`$calendar['link']`), which is embedded into a template string and executed. This allows arbitrary PHP code execution if `$calendar['link']` contains malicious input. While the data comes from `get_calendar_link()` (which may be sanitized), using `eval()` is dangerous and unnecessary here. The proper fix would be to use template variable substitution without `eval()`, such as setting template variables directly and letting the template engine handle escaping.
---
Vulnerability Existed: no
[Timezone Handling Logic Change] - [CWE-Not Applicable] - [inc/functions_calendar.php] [Line 433-435]
**Old Code:**
```php
// We take in to account timezones here - we add/subtract 12 hours from our GMT time ranges
$start -= 12*3600;
$end += 12*3600;
```
**Fixed Code:**
```php
// We take in to account timezones here - we either add 14 hours or subtract 12 hours from our GMT time ranges
$start -= 12*3600;
$end += 14*3600;
```
**Explanation:**
This change is a logic correction, not a security vulnerability fix. It adjusts the timezone offset calculation from symmetric (±12 hours) to asymmetric (−12 hours, +14 hours), which may better account for extreme timezone ranges (UTC-12 to UTC+14). This is a business logic adjustment, not fixing a security issue. No vulnerability exists in either version from a security perspective.
inc/functions_forumlist.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/inc/functions_forumlist.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions_forumlist.php 2025-12-06 11:32:55.974176867 +0000@@ -292,6 +292,7 @@ $lastpost_date = my_date('relative', $lastpost_data['lastpost']); // Set up the last poster, last post thread id, last post subject and format appropriately+ $lastpost_data['lastposter'] = htmlspecialchars_uni($lastpost_data['lastposter']); $lastpost_profilelink = build_profile_link($lastpost_data['lastposter'], $lastpost_data['lastposteruid']); $lastpost_link = get_thread_link($lastpost_data['lastposttid'], 0, "lastpost"); $lastpost_subject = $full_lastpost_subject = $parser->parse_badwords($lastpost_data['lastpostsubject']);
AI Analysis
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - inc/functions_forumlist.php Line 295 Old Code: ``` $lastpost_profilelink = build_profile_link($lastpost_data['lastposter'], $lastpost_data['lastposteruid']); ``` Fixed Code: ``` $lastpost_data['lastposter'] = htmlspecialchars_uni($lastpost_data['lastposter']); $lastpost_profilelink = build_profile_link($lastpost_data['lastposter'], $lastpost_data['lastposteruid']); ``` Explanation: The vulnerability existed because `$lastpost_data['lastposter']` was being passed directly to `build_profile_link()` without HTML encoding. If this value contained user-controlled data (e.g., a username or display name), an attacker could inject malicious HTML/JavaScript that would execute in the browser when the forum list is rendered. The fix applies `htmlspecialchars_uni()` to encode the lastposter value before using it, preventing XSS injection. This is a proper reflected/stored XSS mitigation for displaying user-influenced data in HTML context.
inc/functions_indicators.php
AI: 2 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/inc/functions_indicators.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions_indicators.php 2025-12-06 11:32:55.974176867 +0000@@ -58,8 +58,38 @@ { global $cache, $db, $mybb; - $onlyview = $onlyview2 = '';- $permissions = forum_permissions($fid);+ $forums_all = $forums_own = array();+ $forums = explode(',', $fid);+ foreach($forums as $forum)+ {+ $permissions = forum_permissions($forum);+ if(!empty($permissions['canonlyviewownthreads']))+ {+ $forums_own[] = $forum;+ }+ else+ {+ $forums_all[] = $forum;+ }+ }+ if(!empty($forums_own))+ {+ $where = "(fid IN (".implode(',', $forums_own).") AND uid = {$mybb->user['uid']})";+ $where2 = "(t.fid IN (".implode(',', $forums_own).") AND t.uid = {$mybb->user['uid']})";+ }+ if(!empty($forums_all))+ {+ if(isset($where))+ {+ $where = "({$where} OR fid IN (".implode(',', $forums_all)."))";+ $where2 = "({$where2} OR t.fid IN (".implode(',', $forums_all)."))";+ }+ else+ {+ $where = 'fid IN ('.implode(',', $forums_all).')';+ $where2 = 't.fid IN ('.implode(',', $forums_all).')';+ }+ } $cutoff = TIME_NOW-$mybb->settings['threadreadcut']*60*60*24; if(!empty($permissions['canonlyviewownthreads']))@@ -97,11 +127,11 @@ $count = 0; // We've read at least some threads, are they here?- $query = $db->simple_select("threads", "lastpost, tid, fid", "visible=1 AND closed NOT LIKE 'moved|%' AND fid IN ({$fid}) AND lastpost > '{$cutoff}'{$onlyview}", array("limit" => 100));+ $query = $db->simple_select("threads", "lastpost, tid, fid", "visible=1 AND closed NOT LIKE 'moved|%' AND {$where} AND lastpost > '{$cutoff}'", array("limit" => 100)); while($thread = $db->fetch_array($query)) {- if(isset($threadsread[$thread['tid']]) && $thread['lastpost'] > (int)$threadsread[$thread['tid']] && isset($forumsread[$thread['fid']]) && $thread['lastpost'] > (int)$forumsread[$thread['fid']])+ if((!isset($threadsread[$thread['tid']]) || $thread['lastpost'] > (int)$threadsread[$thread['tid']]) && (!isset($forumsread[$thread['fid']]) || $thread['lastpost'] > (int)$forumsread[$thread['fid']])) { ++$count; }@@ -123,7 +153,7 @@ FROM ".TABLE_PREFIX."threads t LEFT JOIN ".TABLE_PREFIX."threadsread tr ON (tr.tid=t.tid AND tr.uid='{$mybb->user['uid']}') LEFT JOIN ".TABLE_PREFIX."forumsread fr ON (fr.fid=t.fid AND fr.uid='{$mybb->user['uid']}')- WHERE t.visible=1 AND t.closed NOT LIKE 'moved|%' AND t.fid IN ($fid) AND t.lastpost > COALESCE(tr.dateline,$cutoff) AND t.lastpost > COALESCE(fr.dateline,$cutoff) AND t.lastpost>$cutoff{$onlyview2}+ WHERE t.visible=1 AND t.closed NOT LIKE 'moved|%' AND {$where2} AND t.lastpost > COALESCE(tr.dateline,$cutoff) AND t.lastpost > COALESCE(fr.dateline,$cutoff) AND t.lastpost>$cutoff "); break; default:@@ -132,7 +162,7 @@ FROM ".TABLE_PREFIX."threads t LEFT JOIN ".TABLE_PREFIX."threadsread tr ON (tr.tid=t.tid AND tr.uid='{$mybb->user['uid']}') LEFT JOIN ".TABLE_PREFIX."forumsread fr ON (fr.fid=t.fid AND fr.uid='{$mybb->user['uid']}')- WHERE t.visible=1 AND t.closed NOT LIKE 'moved|%' AND t.fid IN ($fid) AND t.lastpost > IFNULL(tr.dateline,$cutoff) AND t.lastpost > IFNULL(fr.dateline,$cutoff) AND t.lastpost>$cutoff{$onlyview2}+ WHERE t.visible=1 AND t.closed NOT LIKE 'moved|%' AND {$where2} AND t.lastpost > IFNULL(tr.dateline,$cutoff) AND t.lastpost > IFNULL(fr.dateline,$cutoff) AND t.lastpost>$cutoff "); } return $db->fetch_field($query, "unread_count");
AI Analysis
Vulnerability Existed: yes
SQL Injection - CWE-89 - inc/functions_indicators.php Lines 77-90
[Old Code]
```php
$permissions = forum_permissions($fid);
```
[Fixed Code]
```php
$forums = explode(',', $fid);
foreach($forums as $forum)
{
$permissions = forum_permissions($forum);
if(!empty($permissions['canonlyviewownthreads']))
{
$forums_own[] = $forum;
}
else
{
$forums_all[] = $forum;
}
}
if(!empty($forums_own))
{
$where = "(fid IN (".implode(',', $forums_own).") AND uid = {$mybb->user['uid']})";
$where2 = "(t.fid IN (".implode(',', $forums_own).") AND t.uid = {$mybb->user['uid']})";
}
if(!empty($forums_all))
{
if(isset($where))
{
$where = "({$where} OR fid IN (".implode(',', $forums_all)."))";
$where2 = "({$where2} OR t.fid IN (".implode(',', $forums_all)."))";
}
else
{
$where = 'fid IN ('.implode(',', $forums_all).')';
$where2 = 't.fid IN ('.implode(',', $forums_all).')';
}
}
```
Explanation:
The original code directly interpolated `$fid` into SQL queries (lines 130, 156, 165). While the fix still uses string concatenation via `implode()` without prepared statements, it introduces permission-based filtering by splitting the forum IDs and checking permissions per forum. This separates forums into those where users can only view their own threads (`$forums_own`) versus all threads (`$forums_all`), then builds conditional WHERE clauses (`$where`, `$where2`) that enforce these permissions in the SQL query itself. This mitigates privilege escalation by ensuring users cannot bypass forum-level access controls, even if they provide unauthorized forum IDs. However, the vulnerability is not fully eliminated since the code still uses string concatenation rather than parameterized queries or explicit input validation/escaping.
---
Vulnerability Existed: yes
TRUE POSITIVE
Logic Error / Incorrect Access Control - CWE-276 - inc/functions_indicators.php Line 134
[Old Code]
```php
if(isset($threadsread[$thread['tid']]) && $thread['lastpost'] > (int)$threadsread[$thread['tid']] && isset($forumsread[$thread['fid']]) && $thread['lastpost'] > (int)$forumsread[$thread['fid']])
```
[Fixed Code]
```php
if((!isset($threadsread[$thread['tid']]) || $thread['lastpost'] > (int)$threadsread[$thread['tid']]) && (!isset($forumsread[$thread['fid']]) || $thread['lastpost'] > (int)$forumsread[$thread['fid']]))
```
Explanation:
The original logic used AND operators requiring ALL conditions to be true: thread read entry must exist AND be older than current post AND forum read entry must exist AND be older than current post. This incorrect logic would fail to mark threads as unread if either the thread or forum read entry was missing, causing unread thread indicators to disappear incorrectly. The fix uses OR operators: treat as unread if thread read entry doesn't exist OR is older than the post, AND forum read entry doesn't exist OR is older than the post. This correctly identifies threads that have new posts since the user's last read timestamp.
inc/functions_modcp.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/functions_modcp.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions_modcp.php 2025-12-06 11:32:55.974176867 +0000@@ -41,7 +41,7 @@ */ function fetch_forum_announcements($pid=0, $depth=1) {- global $mybb, $db, $lang, $theme, $announcements, $templates, $announcements_forum, $moderated_forums, $unviewableforums;+ global $mybb, $db, $lang, $theme, $announcements, $templates, $announcements_forum, $moderated_forums, $unviewableforums, $parser; static $forums_by_parent, $forum_cache, $parent_forums; if(!is_array($forum_cache))@@ -118,7 +118,7 @@ eval("\$icon = \"".$templates->get("modcp_announcements_announcement_active")."\";"); } - $subject = htmlspecialchars_uni($announcement['subject']);+ $subject = htmlspecialchars_uni($parser->parse_badwords($announcement['subject'])); eval("\$announcements_forum .= \"".$templates->get("modcp_announcements_announcement")."\";"); }@@ -145,43 +145,43 @@ { global $db, $lang, $forum, $mybb, $post, $thread, $reputation, $user; - $nummods = false;+ $modsjoin = $modswhere = ''; if(!empty($forum['parentlist'])) {- $query = $db->query("- SELECT DISTINCT u.username, u.email, u.receivepms, u.uid- FROM ".TABLE_PREFIX."moderators m- LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=m.id)- WHERE m.fid IN (".$forum['parentlist'].") AND m.isgroup = '0'- ");-- $nummods = $db->num_rows($query);- }-- if(!$nummods)- {- unset($query);- switch($db->type)- {- case "pgsql":- case "sqlite":- $query = $db->query("- SELECT u.username, u.email, u.receivepms, u.uid- FROM ".TABLE_PREFIX."users u- LEFT JOIN ".TABLE_PREFIX."usergroups g ON (((','|| u.additionalgroups|| ',' LIKE '%,'|| g.gid|| ',%') OR u.usergroup = g.gid))- WHERE (g.cancp=1 OR g.issupermod=1)- ");- break;- default:- $query = $db->query("- SELECT u.username, u.email, u.receivepms, u.uid- FROM ".TABLE_PREFIX."users u- LEFT JOIN ".TABLE_PREFIX."usergroups g ON (((CONCAT(',', u.additionalgroups, ',') LIKE CONCAT('%,', g.gid, ',%')) OR u.usergroup = g.gid))- WHERE (g.cancp=1 OR g.issupermod=1)- ");+ $modswhere = "m.fid IN ({$forum['parentlist']}) OR ";++ if($db->type == 'pgsql' || $db->type == 'sqlite')+ {+ $modsjoin = "LEFT JOIN {$db->table_prefix}moderators m ON (m.id = u.uid AND m.isgroup = 0) OR ((m.id = u.usergroup OR ',' || u.additionalgroups || ',' LIKE '%,' || m.id || ',%') AND m.isgroup = 1)";+ }+ else+ {+ $modsjoin = "LEFT JOIN {$db->table_prefix}moderators m ON (m.id = u.uid AND m.isgroup = 0) OR ((m.id = u.usergroup OR CONCAT(',', u.additionalgroups, ',') LIKE CONCAT('%,', m.id, ',%')) AND m.isgroup = 1)"; } } + switch($db->type)+ {+ case "pgsql":+ case "sqlite":+ $query = $db->query("+ SELECT DISTINCT u.username, u.email, u.receivepms, u.uid+ FROM {$db->table_prefix}users u+ {$modsjoin}+ LEFT JOIN {$db->table_prefix}usergroups g ON (',' || u.additionalgroups || ',' LIKE '%,' || g.gid || ',%' OR g.gid = u.usergroup)+ WHERE {$modswhere}g.cancp = 1 OR g.issupermod = 1+ ");+ break;+ default:+ $query = $db->query("+ SELECT DISTINCT u.username, u.email, u.receivepms, u.uid+ FROM {$db->table_prefix}users u+ {$modsjoin}+ LEFT JOIN {$db->table_prefix}usergroups g ON (CONCAT(',', u.additionalgroups, ',') LIKE CONCAT('%,', g.gid, ',%') OR g.gid = u.usergroup)+ WHERE {$modswhere}g.cancp = 1 OR g.issupermod = 1+ ");+ }+ $lang_string_subject = "emailsubject_report{$report_type}"; $lang_string_message = "email_report{$report_type}"; @@ -273,6 +273,7 @@ 'id3' => (int)$report['id3'], 'uid' => (int)$report['uid'], 'reportstatus' => 0,+ 'reasonid' => (int)$report['reasonid'], 'reason' => $db->escape_string($report['reason']), 'type' => $db->escape_string($type), 'reports' => 1,@@ -283,7 +284,7 @@ if($mybb->settings['reportmethod'] == "email" || $mybb->settings['reportmethod'] == "pms") {- return send_report($report, $type);+ send_report($report, $type); } $rid = $db->insert_query("reportedcontent", $insert_array);
AI Analysis
```
Vulnerability Existed: no
SQL Injection - CWE-89 - inc/functions_modcp.php [148-183]
[Old Code]
$query = $db->query("
SELECT DISTINCT u.username, u.email, u.receivepms, u.uid
FROM ".TABLE_PREFIX."moderators m
LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=m.id)
WHERE m.fid IN (".$forum['parentlist'].") AND m.isgroup = '0'
");
[Fixed Code]
$modswhere = "m.fid IN ({$forum['parentlist']}) OR ";
...
$query = $db->query("
SELECT DISTINCT u.username, u.email, u.receivepms, u.uid
FROM {$db->table_prefix}users u
{$modsjoin}
...
WHERE {$modswhere}g.cancp = 1 OR g.issupermod = 1
");
Explanation:
The original code and fixed code both use unsanitized variable interpolation in SQL strings. The `$forum['parentlist']` variable is directly interpolated into the SQL query without parameterized queries or prepared statements in both versions. However, this is a refactoring that consolidates multiple query branches into a single parameterized structure. The vulnerability pattern remains similar, but the code organization suggests the application relies on upstream validation of `$forum['parentlist']` (likely validated when the forum list is constructed). No new SQL injection vulnerability was introduced by this change; the refactoring maintains the same trust model as the original code.
```
```
Vulnerability Existed: no
Cross-Site Scripting (XSS) - CWE-79 - inc/functions_modcp.php [121]
[Old Code]
$subject = htmlspecialchars_uni($announcement['subject']);
[Fixed Code]
$subject = htmlspecialchars_uni($parser->parse_badwords($announcement['subject']));
Explanation:
The fix actually improves security by adding word filtering via `parse_badwords()` before HTML encoding. The original code applies only HTML encoding (`htmlspecialchars_uni`), which prevents XSS in most contexts. The fix adds an additional layer of content filtering via the parser. This is a security enhancement, not a fix for an existing vulnerability. No XSS vulnerability was introduced or fixed by this specific change.
```
```
Vulnerability Existed: no
Return Value Handling - CWE-252 - inc/functions_modcp.php [286]
[Old Code]
return send_report($report, $type);
[Fixed Code]
send_report($report, $type);
Explanation:
The change removes the return statement from the `send_report()` function call. Without seeing the broader function context, this appears to be intentional logic change rather than a security vulnerability fix. If the return value of `send_report()` was previously used to convey success/failure status, removing it could mask errors. However, this is a control flow change, not a security fix. The code should verify whether the calling function still properly handles errors from `send_report()`.
```
inc/functions_online.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/inc/functions_online.php 2025-12-06 11:32:55.214127789 +0000+++ cache/mybb_mybb_1808/inc/functions_online.php 2025-12-06 11:32:55.974176867 +0000@@ -600,12 +600,12 @@ $query = $db->simple_select("users", "uid,username", "uid IN ($uid_sql)"); while($user = $db->fetch_array($query)) {- $usernames[$user['uid']] = $user['username'];+ $usernames[$user['uid']] = htmlspecialchars_uni($user['username']); } } else {- $usernames[$mybb->user['uid']] = $mybb->user['username'];+ $usernames[$mybb->user['uid']] = htmlspecialchars_uni($mybb->user['username']); } } @@ -1141,7 +1141,7 @@ $invisible_mark = ''; } - $user['username'] = format_name($user['username'], $user['usergroup'], $user['displaygroup']);+ $user['username'] = format_name(htmlspecialchars_uni($user['username']), $user['usergroup'], $user['displaygroup']); $online_name = build_profile_link($user['username'], $user['uid']).$invisible_mark; } }
AI Analysis
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - inc/functions_online.php Lines 603, 609, 1144 Old Code: ```php $usernames[$user['uid']] = $user['username']; $usernames[$mybb->user['uid']] = $mybb->user['username']; $user['username'] = format_name($user['username'], $user['usergroup'], $user['displaygroup']); ``` Fixed Code: ```php $usernames[$user['uid']] = htmlspecialchars_uni($user['username']); $usernames[$mybb->user['uid']] = htmlspecialchars_uni($mybb->user['username']); $user['username'] = format_name(htmlspecialchars_uni($user['username']), $user['usergroup'], $user['displaygroup']); ``` Explanation: User-supplied usernames retrieved from the database were being directly stored and used without HTML entity encoding before being output in templates. This is a reflected XSS vulnerability where a malicious username could contain JavaScript code that executes in other users' browsers when viewing online user lists. The fix applies `htmlspecialchars_uni()` (MyBB's HTML encoding function) to escape special characters before storage/usage, preventing the injection of malicious HTML/JavaScript. This is a critical fix for a stored/reflected XSS vulnerability in user-facing online status displays.
inc/functions_post.php
AI: 3 vulnerabilities
3 true positives
--- cache/mybb_mybb_1807/inc/functions_post.php 2025-12-06 11:32:55.218128048 +0000+++ cache/mybb_mybb_1808/inc/functions_post.php 2025-12-06 11:32:55.974176867 +0000@@ -127,6 +127,9 @@ break; } + $post['username'] = htmlspecialchars_uni($post['username']);+ $post['userusername'] = htmlspecialchars_uni($post['userusername']);+ if(!$postcounter) { // Used to show the # of the post if($page > 1)@@ -539,6 +542,7 @@ { $post['editdate'] = my_date('relative', $post['edittime']); $post['editnote'] = $lang->sprintf($lang->postbit_edited, $post['editdate']);+ $post['editusername'] = htmlspecialchars_uni($post['editusername']); $post['editedprofilelink'] = build_profile_link($post['editusername'], $post['edituid']); $editreason = ""; if($post['editreason'] != "")@@ -745,7 +749,7 @@ "allow_mycode" => $mybb->settings['sigmycode'], "allow_smilies" => $mybb->settings['sigsmilies'], "allow_imgcode" => $mybb->settings['sigimgcode'],- "me_username" => $post['username'],+ "me_username" => $parser_options['me_username'], "filter_badwords" => 1 );
AI Analysis
Analyzing the provided code diff for security vulnerabilities... --- **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - inc/functions_post.php Lines 130-131 **Old Code:** ```php // No escaping applied to $post['username'] and $post['userusername'] ``` **Fixed Code:** ```php $post['username'] = htmlspecialchars_uni($post['username']); $post['userusername'] = htmlspecialchars_uni($post['userusername']); ``` Explanation: The `$post['username']` and `$post['userusername']` variables were being used in output contexts without HTML escaping. If these values contained user-controlled data (which they do, being from post records), an attacker could inject malicious JavaScript code that would execute in other users' browsers. The fix applies `htmlspecialchars_uni()` to escape HTML special characters, preventing XSS attacks. --- **Vulnerability 2:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - inc/functions_post.php Line 545 **Old Code:** ```php $post['editedprofilelink'] = build_profile_link($post['editusername'], $post['edituid']); ``` **Fixed Code:** ```php $post['editusername'] = htmlspecialchars_uni($post['editusername']); $post['editedprofilelink'] = build_profile_link($post['editusername'], $post['edituid']); ``` Explanation: Similar to Vulnerability 1, the `$post['editusername']` variable was not being escaped before being passed to `build_profile_link()`. If this function uses the username in HTML output without additional escaping, it could result in an XSS vulnerability. The fix ensures the username is HTML-escaped before use. --- **Vulnerability 3:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - inc/functions_post.php Line 752 **Old Code:** ```php "me_username" => $post['username'], ``` **Fixed Code:** ```php "me_username" => $parser_options['me_username'], ``` Explanation: This change fixes a logic error that likely masked an XSS vulnerability. Using `$post['username']` directly (unescaped) in parser options could allow injection. The fix uses `$parser_options['me_username']` which should be a properly sanitized value. This prevents untrusted username data from being passed to the parser where it could be used in output without proper escaping.
inc/functions_serverstats.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/functions_serverstats.php 2025-12-06 11:32:55.222128307 +0000+++ cache/mybb_mybb_1808/inc/functions_serverstats.php 2025-12-06 11:32:55.982177385 +0000@@ -212,7 +212,7 @@ // Check the hosting company if(strpos($_SERVER['HTTP_HOST'], ".") !== false) {- $host_url = "http://www.whoishostingthis.com/".str_replace(array('http://', 'www.'), '', $_SERVER['HTTP_HOST']);+ $host_url = "http://www.whoishostingthis.com/".str_replace(array('http://', 'https://', 'www.'), '', $_SERVER['HTTP_HOST']); $hosting = fetch_remote_file($host_url); @@ -278,7 +278,7 @@ $amp = "&"; } - $server_stats_url = 'http://community.mybb.com/server_stats.php?'.$string;+ $server_stats_url = 'https://community.mybb.com/server_stats.php?'.$string; $return = array(); $return['info_sent_success'] = false;
AI Analysis
Vulnerability Existed: no
[No Vulnerability] - [N/A] - inc/functions_serverstats.php [Lines 215, 281]
Old Code (Line 215):
```php
$host_url = "http://www.whoishostingthis.com/".str_replace(array('http://', 'www.'), '', $_SERVER['HTTP_HOST']);
```
Fixed Code (Line 215):
```php
$host_url = "http://www.whoishostingthis.com/".str_replace(array('http://', 'https://', 'www.'), '', $_SERVER['HTTP_HOST']);
```
Explanation:
This change adds 'https://' to the array of strings to be removed from `$_SERVER['HTTP_HOST']`. This is a security improvement that ensures both HTTP and HTTPS protocols are properly stripped from the host value before constructing the lookup URL. While the original code was not technically "vulnerable" in the sense of introducing a new security flaw, it was incomplete in handling HTTPS-based hostnames. Adding 'https://' ensures consistent and correct behavior regardless of the protocol used to access the server. This is defensive coding rather than fixing an active vulnerability.
---
Vulnerability Existed: no
[No Vulnerability] - [N/A] - inc/functions_serverstats.php [Lines 281]
Old Code (Line 281):
```php
$server_stats_url = 'http://community.mybb.com/server_stats.php?'.$string;
```
Fixed Code (Line 281):
```php
$server_stats_url = 'https://community.mybb.com/server_stats.php?'.$string;
```
Explanation:
This change upgrades the URL scheme from HTTP to HTTPS when communicating with the MyBB community statistics server. This is a security best practice that prevents potential man-in-the-middle (MITM) attacks by ensuring the connection to the remote server is encrypted. While not a "fix" for a vulnerability in the traditional sense, it improves the security posture by ensuring data sent to the remote statistics service is transmitted over a secure, encrypted channel. This prevents interception of any potentially sensitive information included in the query string.
inc/functions_upload.php
AI: Not Sure
--- cache/mybb_mybb_1807/inc/functions_upload.php 2025-12-06 11:32:55.226128564 +0000+++ cache/mybb_mybb_1808/inc/functions_upload.php 2025-12-06 11:32:55.982177385 +0000@@ -288,16 +288,21 @@ } } - // Next check the file size- if($avatar['size'] > ($mybb->settings['avatarsize']*1024) && $mybb->settings['avatarsize'] > 0)+ // Check a list of known MIME types to establish what kind of avatar we're uploading+ $attachtypes = (array)$cache->read('attachtypes');++ $allowed_mime_types = array();+ foreach($attachtypes as $attachtype) {- delete_uploaded_file($avatarpath."/".$filename);- $ret['error'] = $lang->error_uploadsize;- return $ret;+ if(defined('IN_ADMINCP') || is_member($attachtype['groups']) && $attachtype['avatarfile'])+ {+ $allowed_mime_types[$attachtype['mimetype']] = $attachtype['maxsize'];+ } } - // Check a list of known MIME types to establish what kind of avatar we're uploading- switch(my_strtolower($avatar['type']))+ $avatar['type'] = my_strtolower($avatar['type']);++ switch($avatar['type']) { case "image/gif": $img_type = 1;@@ -313,17 +318,31 @@ case "image/x-png": $img_type = 3; break;+ case "image/bmp":+ case "image/x-bmp":+ case "image/x-windows-bmp":+ $img_type = 6;+ break; default: $img_type = 0; } // Check if the uploaded file type matches the correct image type (returned by getimagesize)- if($img_dimensions[2] != $img_type || $img_type == 0)+ if(empty($allowed_mime_types[$avatar['type']]) || $img_dimensions[2] != $img_type || $img_type == 0) { $ret['error'] = $lang->error_uploadfailed; delete_uploaded_file($avatarpath."/".$filename); return $ret; }++ // Next check the file size+ if(($avatar['size'] > ($mybb->settings['avatarsize']*1024) && $mybb->settings['avatarsize'] > 0) || $avatar['size'] > $allowed_mime_types[$avatar['type']] && !($mybb->settings['avatarsize'] > 0))+ {+ delete_uploaded_file($avatarpath."/".$filename);+ $ret['error'] = $lang->error_uploadsize;+ return $ret;+ }+ // Everything is okay so lets delete old avatars for this user remove_avatars($uid, $filename); @@ -386,9 +405,18 @@ return $ret; } - $attachtypes = $cache->read('attachtypes');+ $attachtypes = (array)$cache->read('attachtypes'); $attachment = $plugins->run_hooks("upload_attachment_start", $attachment); + $allowed_mime_types = array();+ foreach($attachtypes as $ext => $attachtype)+ {+ if(!is_member($attachtype['groups']) || ($attachtype['forums'] != -1 && strpos(','.$attachtype['forums'].',', ','.$forum['fid'].',') === false))+ {+ unset($attachtypes[$ext]);+ }+ }+ $ext = get_extension($attachment['name']); // Check if we have a valid extension if(!isset($attachtypes[$ext]))
AI Analysis
Based on my analysis of the diff for the `upload_avatar()` function in `inc/functions_upload.php`, here are the security vulnerabilities identified:
---
## Vulnerability 1: Unrestricted File Size (MIME Type Based)
**Vulnerability Existed:** yes
**CWE-434 - Unrestricted Upload of File with Dangerous Type - inc/functions_upload.php Lines 338-344**
**Old Code:**
```php
// Next check the file size
if($avatar['size'] > ($mybb->settings['avatarsize']*1024) && $mybb->settings['avatarsize'] > 0)
{
delete_uploaded_file($avatarpath."/".$filename);
$ret['error'] = $lang->error_uploadsize;
return $ret;
}
```
**Fixed Code:**
```php
// Next check the file size
if(($avatar['size'] > ($mybb->settings['avatarsize']*1024) && $mybb->settings['avatarsize'] > 0) || $avatar['size'] > $allowed_mime_types[$avatar['type']] && !($mybb->settings['avatarsize'] > 0))
{
delete_uploaded_file($avatarpath."/".$filename);
$ret['error'] = $lang->error_uploadsize;
return $ret;
}
```
**Explanation:**
The vulnerability was that the original code only checked against a global `avatarsize` setting without validating the MIME type-specific size limits from the `attachtypes` cache. An attacker could upload a very large image file that exceeds MIME-type-specific limits if the global `avatarsize` was not set (or was 0). The fix adds an additional check: `$avatar['size'] > $allowed_mime_types[$avatar['type']]` which enforces per-MIME-type size limits, preventing oversized uploads of specific image types.
---
## Vulnerability 2: Missing MIME Type Whitelist Validation
**Vulnerability Existed:** yes
**CWE-434 - Unrestricted Upload of File with Dangerous Type - inc/functions_upload.php Line 331**
**Old Code:**
```php
if($img_dimensions[2] != $img_type || $img_type == 0)
{
$ret['error'] = $lang->error_uploadfailed;
delete_uploaded_file($avatarpath."/".$filename);
return $ret;
}
```
**Fixed Code:**
```php
if(empty($allowed_mime_types[$avatar['type']]) || $img_dimensions[2] != $img_type || $img_type == 0)
{
$ret['error'] = $lang->error_uploadfailed;
delete_uploaded_file($avatarpath."/".$filename);
return $ret;
}
```
**Explanation:**
The original code did not validate that the MIME type is in the `$allowed_mime_types` array before allowing upload. This meant that even if a user group didn't have permission to upload certain MIME types (checked via `is_member($attachtype['groups'])` and `$attachtype['avatarfile']`), the MIME type validation was incomplete. The fix adds `empty($allowed_mime_types[$avatar['type']])` check, ensuring that only MIME types that are both (1) in the cache and (2) allowed for the user's group are accepted.
---
## Vulnerability 3: Potential Logic Error in File Size Check (Order of Operations)
**Vulnerability Existed:** not sure
**CWE-469 - Use of Pointer Arithmetic with Unexpected Operators - inc/functions_upload.php Line 339**
**Old Code:**
```php
// N/A - this logic didn't exist
```
**Fixed Code:**
```php
if(($avatar['size'] > ($mybb->settings['avatarsize']*1024) && $mybb->settings['avatarsize'] > 0) || $avatar['size'] > $allowed_mime_types[$avatar['type']] && !($mybb->settings['avatarsize'] > 0))
```
**Explanation:**
The new file size check has potential operator precedence issues. The condition `$avatar['size'] > $allowed_mime_types[$avatar['type']] && !($mybb->settings['avatarsize'] > 0)` may not behave as intended due to `&&` binding tighter than `||`. The second part should likely be wrapped in parentheses: `($avatar['size'] > $allowed_mime_types[$avatar['type']] && !($mybb->settings['avatarsize'] > 0))`. However, it's also possible this is intentional—if `avatarsize` is 0 (unlimited), then check against MIME-type-specific limits. Without knowing the original intent, this is uncertain, but the logic appears correct for enforcing per-MIME-type limits as a fallback.
inc/functions_user.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/functions_user.php 2025-12-06 11:32:55.226128564 +0000+++ cache/mybb_mybb_1808/inc/functions_user.php 2025-12-06 11:32:55.982177385 +0000@@ -127,6 +127,7 @@ * @param string $password The md5()'ed password. * @param string $salt (Optional) The salt of the user. * @return array The new password.+ * @deprecated deprecated since version 1.8.6 Please use other alternatives. */ function update_password($uid, $password, $salt="") {
AI Analysis
Vulnerability Existed: no No CWE/Vulnerability Identified - N/A - inc/functions_user.php - Lines 130 [Old Code] ``` * @return array The new password. */ function update_password($uid, $password, $salt="") ``` [Fixed Code] ``` * @return array The new password. * @deprecated deprecated since version 1.8.6 Please use other alternatives. */ function update_password($uid, $password, $salt="") ``` Explanation: This diff adds a deprecation notice to the PHPDoc comment of the `update_password()` function. This is a documentation-only change that marks the function as deprecated in version 1.8.6, recommending users to use alternative methods. No code logic was modified, no security vulnerabilities were introduced or fixed, and the change does not alter the function's behavior. This is a best practice notification to developers that this function should no longer be used in new code.
inc/languages/english.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english.php 2025-12-06 11:32:55.230128823 +0000+++ cache/mybb_mybb_1808/inc/languages/english.php 2025-12-06 11:32:55.982177385 +0000@@ -12,10 +12,10 @@ $langinfo['author'] = "MyBB Group"; // The language authors website-$langinfo['website'] = "http://www.mybb.com/";+$langinfo['website'] = "https://mybb.com/"; // Compatible version of MyBB-$langinfo['version'] = "1807";+$langinfo['version'] = "1808"; // Sets if the translation includes the Admin CP (1 = yes, 0 = no) $langinfo['admin'] = 1;
AI Analysis
Vulnerability Existed: no No vulnerabilities detected in this diff. Explanation: This diff contains only non-security configuration updates: 1. **Website URL upgrade (HTTP to HTTPS)**: Changed `http://www.mybb.com/` to `https://mybb.com/`. This is a security improvement, not a fix for a vulnerability in the code itself—it's a metadata update to use a secure protocol. 2. **Version string update**: Changed language pack version from "1807" to "1808". This is a simple version bump with no security implications. Both changes are benign metadata updates that do not introduce, fix, or relate to code vulnerabilities. No CWE, injection, authentication, authorization, or data handling issues are present.
inc/languages/english/admin/config_attachment_types.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/config_attachment_types.lang.php 2025-12-06 11:32:55.230128823 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/config_attachment_types.lang.php 2025-12-06 11:32:55.982177385 +0000@@ -42,3 +42,12 @@ $l['confirm_attachment_type_deletion'] = "Are you sure you wish to delete this attachment type?"; +$l['success_activated_attachment_type'] = 'The selected attachment type has been activated successfully.';+$l['success_deactivated_attachment_type'] = 'The selected attachment type has been deactivated successfully.';++$l['enabled'] = "Enabled?";+$l['avatar_file'] = 'Avatar File';+$l['avatar_file_desc'] = 'Do you want to allow this attachment type to be used for avatars?';++$l['available_to_groups'] = 'Available to groups';+$l['available_in_forums'] = 'Available in forums';\ No newline at end of file
AI Analysis
Vulnerability Existed: no No vulnerabilities detected in this diff. Explanation: This diff adds new language string definitions to a PHP language file (`inc/languages/english/admin/config_attachment_types.lang.php`). The changes consist entirely of adding new localized string constants to the `$l` array with descriptive text for UI elements related to attachment type management (activation/deactivation status, avatar file settings, and group/forum availability). These are static string definitions with no dynamic input, variable interpolation, code execution, or security-sensitive operations. The strings are simple labels and messages used for user interface display. There are no injection vectors, unsafe functions, or insecure patterns introduced.
inc/languages/english/admin/config_banning.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/config_banning.lang.php 2025-12-06 11:32:55.230128823 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/config_banning.lang.php 2025-12-06 11:32:55.982177385 +0000@@ -16,7 +16,6 @@ $l['banned_ip_addresses'] = "Banned IP Addresses"; $l['username'] = "Username";-$l['search_user'] = "Search for a user"; $l['date_disallowed'] = "Date Disallowed"; $l['last_attempted_use'] = "Last Attempted Use"; $l['email_address'] = "Email Address";
AI Analysis
Vulnerability Existed: no No Security Vulnerability Detected - Language File Change Explanation: This diff shows a simple removal of a language string definition from a PHP language file. The line being removed is: ```php $l['search_user'] = "Search for a user"; ``` This is a straightforward localization/language configuration change with no security implications. The modification: - Does not involve any code execution - Does not handle user input, authentication, or sensitive data - Does not introduce or remove security controls - Is simply removing an unused language constant from the admin configuration This type of change (removing unused language strings) is a common maintenance task and poses no security risk. There are no vulnerabilities introduced or fixed in this diff.
inc/languages/english/admin/config_module_meta.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/config_module_meta.lang.php 2025-12-06 11:32:55.230128823 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/config_module_meta.lang.php 2025-12-06 11:32:55.982177385 +0000@@ -24,6 +24,7 @@ $l['warning_system'] = "Warning System"; $l['thread_prefixes'] = "Thread Prefixes"; $l['security_questions'] = "Security Questions";+$l['report_reasons'] = "Report Reasons"; $l['can_manage_settings'] = "Can manage settings?"; $l['can_manage_banned_accounts'] = "Can manage banned accounts?";@@ -42,4 +43,5 @@ $l['can_manage_mod_tools'] = "Can manage moderator tools?"; $l['can_manage_thread_prefixes'] = "Can manage thread prefixes?"; $l['can_manage_security_questions'] = "Can manage security questions?";+$l['can_manage_report_reasons'] = "Can manage report reasons?";
AI Analysis
Vulnerability Existed: no This is a language file update that adds two new localization strings for a "Report Reasons" feature in MyBB's admin panel. The changes are purely additive (two new string definitions) and contain no executable code that could introduce security vulnerabilities. The additions: - `$l['report_reasons'] = "Report Reasons";` - `$l['can_manage_report_reasons'] = "Can manage report reasons?";` These are simple string assignments used for UI labels and messages. There is no: - User input processing - Code execution - Data manipulation - Authentication/authorization logic - SQL queries - External API calls - File operations - Or any other potentially dangerous operations Explanation: Language files in MyBB are configuration files that contain only static string definitions. They are not executable code and do not process any data or user input. This is a standard localization addition with no security implications.
inc/languages/english/admin/config_report_reasons.lang.php
AI: No vulnerabilities
--- /dev/null+++ cache/mybb_mybb_1808/inc/languages/english/admin/config_report_reasons.lang.php@@ -0,0 +1,65 @@+<?php+/**+ * MyBB 1.8 English Language Pack+ * Copyright 2014 MyBB Group, All Rights Reserved+ *+ */++$l['report_reasons'] = "Report Reasons";+$l['report_reasons_desc'] = "Here you can create and manage reasons that can be selecting when users report content.";+$l['add_new_reason'] = "Add New Reason";+$l['add_new_reason_desc'] = "Add a new reason for users to select when reporting content.";+$l['edit_reason'] = "Edit Reason";+$l['edit_reason_desc'] = "Edit a reason for users to select when reporting content.";++$l['applies_to'] = "Applies To";+$l['order'] = "Order";+$l['extra_comment'] = "Require Comment?";+$l['options'] = "Options";+$l['delete_reason'] = "Delete Reason";+$l['no_report_reasons'] = "There are no report reasons on your forum at this time.";++$l['reason_title'] = "Title";+$l['reason_title_desc'] = "Enter the title of the reason for reporting the content.";+$l['requires_extra'] = "Require An Extra Comment?";+$l['requires_extra_desc'] = "Require the user to enter an additional comment when this reason is selected?";+$l['save_reason'] = "Save Reason";++$l['content_colon'] = "Content:";++$l['all_content'] = "All content";+$l['select_content'] = "Select content";++// Content types+$l['report_content_'] = "None";+$l['report_content_all'] = "All";+$l['report_content_post'] = "Post";+$l['report_content_profile'] = "Profile";+$l['report_content_reputation'] = "Reputation";++// Content reasons+$l['report_reason_rules'] = "Breaks Forum Rules";+$l['report_reason_bad'] = "Inappropriate Content";+$l['report_reason_spam'] = "Spam Content";+$l['report_reason_wrong'] = "Wrong Forum";+$l['report_reason_other'] = "Other";++$l['default_report_reason'] = "Default";+$l['custom_report_reason'] = "Custom";++$l['update_reasons_order'] = "Update Reasons Order";++$l['error_cannot_modify_reason'] = "You cannot modify this reason.";+$l['error_cannot_delete_reason'] = "You cannot delete this reason.";+$l['error_invalid_reason'] = "You have selected an invalid reason.";+$l['error_missing_title'] = "You did not enter a title for this reason.";+//$l['error_missing_applies_to'] = "You did not select what content this reason applies to.";+$l['error_missing_extra'] = "You did not select if you want extra information for this reason.";++$l['success_reasons_disporder_updated'] = "The report reason display orders have been updated successfully.";+$l['success_reason_created'] = "The reason has been created successfully.";+$l['success_reason_updated'] = "The reason has been updated successfully.";+$l['success_reason_deleted'] = "The reason has been deleted successfully.";++$l['confirm_reason_deletion'] = "Are you sure you wish to delete this reason?";+
AI Analysis
Vulnerability Existed: no This is a new language file (configuration/localization file) containing only static string definitions. There are no security vulnerabilities present. Explanation: The file consists entirely of PHP variable assignments for language strings used in the MyBB forum software's admin panel. These are: - Static language constants with no user input processing - No database queries or operations - No file operations or system calls - No variable interpolation or dynamic code execution - No authentication/authorization logic - No cryptographic operations Language/localization files like this are inherently safe as they contain only predefined text content with no executable logic or security-sensitive operations. The file follows standard MyBB localization conventions and poses no security risk.
inc/languages/english/admin/config_settings.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/config_settings.lang.php 2025-12-06 11:32:55.230128823 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/config_settings.lang.php 2025-12-06 11:32:55.982177385 +0000@@ -83,13 +83,16 @@ $l['error_cannot_edit_php'] = "This is a special type of setting which cannot be edited."; $l['error_ajax_search'] = "There was a problem searching for settings:"; $l['error_ajax_unknown'] = "An unknown error occurred while searching for settings.";-$l['error_chmod_settings_file'] = "The settings file \"./inc/settings.php\" isn't writable. Please CHMOD to 777.<br />For more information on CHMODing, see the <a href=\"http://docs.mybb.com/HowTo_Chmod.html\" target=\"_blank\">MyBB Docs</a>.";-$l['error_hidden_captcha_conflict'] = "The hidden captcha value cannot be \"{1}\" as it conflicts with another registration field.";+$l['error_chmod_settings_file'] = "The settings file \"./inc/settings.php\" isn't writable. Please CHMOD to 777.<br />For more information on CHMODing, see the <a href=\"https://docs.mybb.com/1.8/administration/security/file-permissions\" target=\"_blank\">MyBB Docs</a>."; $l['success_setting_added'] = "The setting has been created successfully."; $l['success_setting_updated'] = "The setting has been updated successfully."; $l['success_setting_deleted'] = "The selected setting has been deleted successfully."; $l['success_settings_updated'] = "The settings have been updated successfully.";+$l['success_settings_updated_hiddencaptchaimage'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <strong>Hidden CAPTCHA field</strong> setting was reverted to <strong>{1}</strong> due to a conflict with the <strong>{2}</strong> field in the registration form.</div>';+$l['success_settings_updated_username_method'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <b>Allowed Login Methods</b> setting was not updated due to multiple users using the same e-mail address at this time.</div>';+$l['success_settings_updated_allowmultipleemails'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <b>Allow emails to be registered multiple times?</b> setting can\'t be enabled because the <b>Allowed Login Methods</b> setting allows users to login by e-mail address.</div>';+$l['success_settings_updated_captchaimage'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <strong>CAPTCHA Images for Registration & Posting</strong> setting was reverted to <strong>MyBB Default Captcha</strong> due to the lack of public/private key(s).</div>'; $l['success_display_orders_updated'] = "The setting display orders have been updated successfully."; $l['success_setting_group_added'] = "The setting group has been created successfully."; $l['success_setting_group_updated'] = "The setting group has been updated successfully.";
AI Analysis
```
Vulnerability Existed: no
HTTP to HTTPS Upgrade - No CWE (Information Security Best Practice) - inc/languages/english/admin/config_settings.lang.php - Line 86
Old Code:
$l['error_chmod_settings_file'] = "The settings file \"./inc/settings.php\" isn't writable. Please CHMOD to 777.<br />For more information on CHMODing, see the <a href=\"http://docs.mybb.com/HowTo_Chmod.html\" target=\"_blank\">MyBB Docs</a>.";
Fixed Code:
$l['error_chmod_settings_file'] = "The settings file \"./inc/settings.php\" isn't writable. Please CHMOD to 777.<br />For more information on CHMODing, see the <a href=\"https://docs.mybb.com/1.8/administration/security/file-permissions\" target=\"_blank\">MyBB Docs</a>.";
Explanation:
This is not a vulnerability fix but a security best practice improvement. The change upgrades an HTTP link to HTTPS and updates the documentation URL path. This prevents man-in-the-middle attacks on the documentation link and ensures the user is directed to the correct, current documentation page. No actual vulnerability existed in the old code—this is a proactive security hardening measure.
```
```
Vulnerability Existed: no
No Security Vulnerability - Addition of User-Facing Messages - inc/languages/english/admin/config_settings.lang.php - Lines 91-94
Old Code:
(Lines did not exist)
Fixed Code:
$l['success_settings_updated_hiddencaptchaimage'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <strong>Hidden CAPTCHA field</strong> setting was reverted to <strong>{1}</strong> due to a conflict with the <strong>{2}</strong> field in the registration form.</div>';
$l['success_settings_updated_username_method'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <b>Allowed Login Methods</b> setting was not updated due to multiple users using the same e-mail address at this time.</div>';
$l['success_settings_updated_allowmultipleemails'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <b>Allow emails to be registered multiple times?</b> setting can\'t be enabled because the <b>Allowed Login Methods</b> setting allows users to login by e-mail address.</div>';
$l['success_settings_updated_captchaimage'] = '<div class="smalltext" style="font-weight: normal;">Please note that the <strong>CAPTCHA Images for Registration & Posting</strong> setting was reverted to <strong>MyBB Default Captcha</strong> due to the lack of public/private key(s).</div>';
Explanation:
These are new language strings added for informational/warning messages to administrators. They contain properly HTML-escaped content (using `&` for ampersands and escaped single quotes). No security vulnerabilities are introduced—these are user-facing messages with no injection vectors or sensitive data exposure.
```
**Summary:** This diff represents a security hardening improvement (HTTPS upgrade) and adds new administrative notification messages. No actual vulnerabilities were fixed or introduced.
inc/languages/english/admin/global.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/global.lang.php 2025-12-06 11:32:55.234129081 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/global.lang.php 2025-12-06 11:32:55.986177642 +0000@@ -133,6 +133,8 @@ $l['off'] = "Off"; $l['alt_enabled'] = "Enabled"; $l['alt_disabled'] = "Disabled";+$l['enable'] = "Enable";+$l['disable'] = "Disable"; $l['saved'] = 'Saved'; $l['rel_in'] = "In ";@@ -176,7 +178,7 @@ $l['loading_text'] = "Loading<br />Please wait..."; // Time zone selection boxes-$l['timezone_gmt_minus_1200'] = "(GMT -12:00) Marshall Islands";+$l['timezone_gmt_minus_1200'] = "(GMT -12:00) Howland and Baker Islands"; $l['timezone_gmt_minus_1100'] = "(GMT -11:00) Nome, Midway Island"; $l['timezone_gmt_minus_1000'] = "(GMT -10:00) Hawaii, Papeete"; $l['timezone_gmt_minus_950'] = "(GMT -9:30) Marquesas Islands";@@ -205,13 +207,15 @@ $l['timezone_gmt_650'] = "(GMT +6:30) Yangon"; $l['timezone_gmt_700'] = "(GMT +7:00) Bangkok, Hanoi, Jakarta"; $l['timezone_gmt_800'] = "(GMT +8:00) Beijing, Hong Kong, Perth, Singapore, Taipei, Manila";+$l['timezone_gmt_850'] = "(GMT +8:30) Pyongyang";+$l['timezone_gmt_875'] = "(GMT +8:45) Eucla"; $l['timezone_gmt_900'] = "(GMT +9:00) Osaka, Sapporo, Seoul, Tokyo, Irkutsk"; $l['timezone_gmt_950'] = "(GMT +9:30) Adelaide, Darwin"; $l['timezone_gmt_1000'] = "(GMT +10:00) Melbourne, Papua New Guinea, Sydney, Yakutsk"; $l['timezone_gmt_1050'] = "(GMT +10:30) Lord Howe Island"; $l['timezone_gmt_1100'] = "(GMT +11:00) Magadan, New Caledonia, Solomon Islands, Vladivostok"; $l['timezone_gmt_1150'] = "(GMT +11:30) Norfolk Island";-$l['timezone_gmt_1200'] = "(GMT +12:00) Auckland, Wellington, Fiji, Marshall Island";+$l['timezone_gmt_1200'] = "(GMT +12:00) Auckland, Wellington, Fiji, Marshall Islands"; $l['timezone_gmt_1275'] = "(GMT +12:45) Chatham Islands"; $l['timezone_gmt_1300'] = "(GMT +13:00) Samoa, Tonga, Tokelau"; $l['timezone_gmt_1400'] = "(GMT +14:00) Line Islands";
AI Analysis
Vulnerability Existed: no No Security Vulnerabilities Detected - [File Content/Localization Update] - inc/languages/english/admin/global.lang.php Old Code: ```php $l['off'] = "Off"; $l['alt_enabled'] = "Enabled"; $l['alt_disabled'] = "Disabled"; $l['saved'] = 'Saved'; ... $l['timezone_gmt_minus_1200'] = "(GMT -12:00) Marshall Islands"; ... $l['timezone_gmt_800'] = "(GMT +8:00) Beijing, Hong Kong, Perth, Singapore, Taipei, Manila"; $l['timezone_gmt_900'] = "(GMT +9:00) Osaka, Sapporo, Seoul, Tokyo, Irkutsk"; ... $l['timezone_gmt_1200'] = "(GMT +12:00) Auckland, Wellington, Fiji, Marshall Island"; ``` Fixed Code: ```php $l['off'] = "Off"; $l['alt_enabled'] = "Enabled"; $l['alt_disabled'] = "Disabled"; $l['enable'] = "Enable"; $l['disable'] = "Disable"; $l['saved'] = 'Saved'; ... $l['timezone_gmt_minus_1200'] = "(GMT -12:00) Howland and Baker Islands"; ... $l['timezone_gmt_800'] = "(GMT +8:00) Beijing, Hong Kong, Perth, Singapore, Taipei, Manila"; $l['timezone_gmt_850'] = "(GMT +8:30) Pyongyang"; $l['timezone_gmt_875'] = "(GMT +8:45) Eucla"; $l['timezone_gmt_900'] = "(GMT +9:00) Osaka, Sapporo, Seoul, Tokyo, Irkutsk"; ... $l['timezone_gmt_1200'] = "(GMT +12:00) Auckland, Wellington, Fiji, Marshall Islands"; ``` Explanation: This diff contains only localization and configuration string updates with no security implications. The changes include: 1. Adding two new language string entries (`enable` and `disable`) 2. Correcting timezone label descriptions (updating "Marshall Islands" to "Howland and Baker Islands" for GMT -12:00, adding missing timezone entries for GMT +8:30 and GMT +8:45, and fixing the plural form of "Marshall Island" to "Marshall Islands") These are purely cosmetic and informational updates to language strings and timezone labels. No code logic changes, no input validation issues, no injection vectors, and no security-relevant modifications are present. This is a safe localization update.
inc/languages/english/admin/home_dashboard.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/home_dashboard.lang.php 2025-12-06 11:32:55.234129081 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/home_dashboard.lang.php 2025-12-06 11:32:55.986177642 +0000@@ -36,7 +36,7 @@ $l['no_announcements'] = "No stored announcements. <a href=\"index.php?module=home&action=version_check\">Check for Updates</a>."; $l['your_version'] = "Your Version"; $l['latest_version'] = "Latest Version";-$l['update_forum'] = "Please upgrade to the latest version of MyBB by visiting the <a href=\"http://www.mybb.com\" target=\"_blank\">MyBB Website</a>.";+$l['update_forum'] = "Please upgrade to the latest version of MyBB by visiting the <a href=\"https://mybb.com\" target=\"_blank\">MyBB Website</a>."; $l['read_more'] = "Read more"; $l['success_up_to_date'] = "Congratulations, you are running the latest version of MyBB.";@@ -45,11 +45,10 @@ $l['error_communication'] = "There was a problem communicating with the version server. Please try again in a few minutes."; $l['error_fetch_news'] = "MyBB was unable to successfully fetch the latest announcements from the MyBB website."; -$l['news_description'] = "The latest news from the <a href=\"http://blog.mybb.com/\" target=\"_blank\">MyBB Blog</a>.";+$l['news_description'] = "The latest news from the <a href=\"https://blog.mybb.com/\" target=\"_blank\">MyBB Blog</a>."; $l['admin_notes_public'] = "These notes are public to all administrators."; $l['admin_notes'] = "Administrator Notes"; $l['save_notes'] = "Save Notes"; $l['success_notes_updated'] = "The administrator notes have been successfully updated.";-
AI Analysis
Vulnerability Existed: no [CWE Name] - [CWE ID] - [File] [Lines] Not applicable - no vulnerability Fixed Code: Changed HTTP URLs to HTTPS for external links: - `http://www.mybb.com` → `https://mybb.com` - `http://blog.mybb.com/` → `https://blog.mybb.com/` Explanation: This diff contains only security improvements, not vulnerability fixes. The changes upgrade insecure HTTP protocol links to secure HTTPS protocol for external MyBB domains. This is a best practice enhancement to ensure encrypted communication and prevent man-in-the-middle attacks when users click these links. Additionally, the `www.` prefix was removed from the main domain URL (standard modern practice). There are no code vulnerabilities being fixed here—only protocol hardening and URL modernization. The removed blank line at the end is a formatting cleanup with no security implications.
inc/languages/english/admin/home_preferences.lang.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/inc/languages/english/admin/home_preferences.lang.php 2025-12-06 11:32:55.234129081 +0000+++ cache/mybb_mybb_1808/inc/languages/english/admin/home_preferences.lang.php 2025-12-06 11:32:55.986177642 +0000@@ -22,7 +22,7 @@ $l['success_preferences_updated'] = "The preferences have been successfully updated."; -$l['use_2fa_desc'] = "Two-Factor Authentication is a method to secure your admin account. After you've enabled it you'll see a QR Code below which you need to scan with an app <a href=\"http://docs.mybb.com/1.8/administration/security/2fa/\" target=\"_blank\">like Google Authenticator or Authy</a>. Those apps will generate a token which you need to enter on every acp login.";+$l['use_2fa_desc'] = "Two-Factor Authentication is a method to secure your admin account. After you've enabled it you'll see a QR Code below which you need to scan with an app <a href=\"https://docs.mybb.com/1.8/administration/security/2fa/\" target=\"_blank\">like Google Authenticator or Authy</a>. Those apps will generate a token which you need to enter on every acp login."; $l['my2fa_qr'] = "Two-Factor Authentication Code"; $l['recovery_codes_desc'] = "View your <a href=\"index.php?module=home-preferences&action=recovery_codes\">recovery codes</a>."; $l['recovery_codes'] = "Recovery Codes";
AI Analysis
Vulnerability Existed: no [Insecure Transport (HTTP instead of HTTPS)] - [CWE-319] - inc/languages/english/admin/home_preferences.lang.php [25] [Old Code] $l['use_2fa_desc'] = "Two-Factor Authentication is a method to secure your admin account. After you've enabled it you'll see a QR Code below which you need to scan with an app <a href=\"http://docs.mybb.com/1.8/administration/security/2fa/\" target=\"_blank\">like Google Authenticator or Authy</a>. Those apps will generate a token which you need to enter on every acp login."; [Fixed Code] $l['use_2fa_desc'] = "Two-Factor Authentication is a method to secure your admin account. After you've enabled it you'll see a QR Code below which you need to scan with an app <a href=\"https://docs.mybb.com/1.8/administration/security/2fa/\" target=\"_blank\">like Google Authenticator or Authy</a>. Those apps will generate a token which you need to enter on every acp login."; Explanation: This change upgrades the documentation link from HTTP to HTTPS. While the old code used insecure HTTP transport, this was not a direct vulnerability in the application code itself since it's merely a reference link in documentation text. The fix properly addresses the best practice of using HTTPS for all external links, especially those pointing to security-related documentation. This prevents potential man-in-the-middle attacks on users accessing the documentation link and demonstrates security best practices.
Showing 61 to 80 of 132 results